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DETAILED ACTION 

1 . Claims 1-22 are examined. 

Specification 

2. The abstract of the disclosure is objected to because the abstract contains more than 1 50 words. 
Correction is required. See MPEP § 608.01(b). 

3. In the abstract, the term "LDAP" should be spelled out as "lightweight directory access protocol." 

4. Claim 22 is objected to because of the following informalities: claim is numbered as "Claim 22:" - 
should be numbered as "22". Appropriate correction is required. 

Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new acid useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 9-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non- 
statutory subject matter. Claims 9 and 15, including the respective dependent claims 10-14 and 16-20, 
recite computer program that are not tangibly embodied on an appropriate computer-readable storage 
medium; thus the claims do not constitute statutory subject matter. 

Claim Rejections - 35 USC § 102 

6. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for 
the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in 
public use or on sale in this country, more than one year prior to the date of application for patent in 
the United States. 

Claims 1-3, 5-6, 8, 15, 19-20 and 22 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Wenisch, et al (US Pub No.: 2003/0033545 A1 , cited by applicant and now US Pat No.: 7,100,054 B2), 
referred as "Wenisch" hereinafter. 

7. As per claim 1_, Wenisch discloses, 

A method for authentication in a network, the method comprising: (Par. [0004], lines 1-3, "in 
one embodiment of the invention, a method is provided for authenticating a user of a computer over a 
computer network"). 
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- creating a credential string which is derived from a session ID; (Par. [0004], lines 9-1 1 , "the 
challenge string can be either a sequence number or a session identifier or another numerical or 
alphanumerical identifier"). The "challenge string" is "credential string" as claimed. 

- sending a UserlD associated with the session ID and the credential string to a software 
application; (see FIG. 2 and Par. [0020], lines 1-4, "the security applet 18 is provided with a challenge 
string, such as a unique session identification (ID) or a sequence number, and an encryption key as 
parameters from a web server"). Wenisch further discloses, (Par. [0021], lines 1-5, "the login packet 20 
can, but not necessarily, contain the challenge string, and the password or other credentials in encrypted 
form and a hash of the data in these three fields"). 

- receiving a confirmation request which includes the credential string; (Par. [0005], lines 6- 
8, "receive a login packet having the challenge string and a password that is encrypted using the first 
encryption key"). 

- and sending a response in reply to the confirmation request to validate the credential 
string to authenticate the UserlD] (Par. [0005], lines 1-3 and 8-10, "in another embodiment of the 
invention, a system is provided for authenticating a user of a computer over a computer network") and 
("and authenticate the password by using information provided by an authentication provider"). 

8. As per claim 2 . Wenisch discloses, 

- the step of maintaining a password at a portal and not sending the password to 
authenticate the UserlD ; (see FIG. 2 and Par. [0020], lines 4-8, "when the user transmits the login form 
to the web server by clicking a login button or some other means, the security applet 18 in the hidden 
frame retrieves the user name and password from the login form, and creates a login packet to be sent to 
the web server"). 

9. As per claim 3 . Wenisch discloses, 

- wherein the credential string is an encrypted hash of the session ID (abstract, lines 11-15, 
"the login packet can further include a user name, wherein the session identification, the user name, and 
the password are encrypted. Additionally, the login packet can include a hash of the session identification, 
the user name, and the password"). 
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10. As per claim 5 , Wenisch discloses, 

- wherein the sending of a UserlD and the credential string avoids at least one of sending a 
user's password outside of a portal server and storing the password in persistent memory (Par. 
[0021], lines 9-5, "after the login packet is transmitted to the web server 14, the security applet 18 resides 
in the hidden frame of the computer 12 the usemame, session ID, and password of the user until the user 
closes their browser or accesses a different web page other than one associated with the secure page 
supplied from the web server 14"). 

11. As per claim 6 . Wenisch discloses. 

- sending the UserlD associated with the session ID and the credential string to a software 
application proxy; (see FIG. 2 and Par. [0023], lines 4-8, "the web server 14 then transmits to the 
authentication provider 16 authentication data including the username and encrypted credentials and 
requests that the authentication provider verify the authentication data"). 

- checking whether the session ID and credential string has been previously received 
within a predetermined time period; (Par. [0026], lines 9-12, "to provide additional security, the session 
ID preferably expires if the user doesn't make a page request after a predetermined time interval"). 

- and if affirmative, initiating a security breach procedure (Par. [0027], lines 1-5, "FIG. 3 
shows an illustrative example of how he web server 14 of FIG. 1 can also authenticate each form 
response submitted to the web server to prevent against falsified or modified form data from being 
submitted to the web server"). 

12. As per claim 8 , Wenisch discloses, 

- wherein the receiving step and sending a response step is performed by an 
authentication proxy (Par. [0024], lines 1 to Par. [025], line 3, "the authentication provider 16 receives 
and decrypts the authentication data and validates it using a security method, such. as NT.RTM system 
call. The authentication provider 16 then creates a response for the web server 14 by hashing the 
decrypted credentials and a secret string"). 

13. As per claim 15 > Wenisch discloses, 

A system for authenticating a session, comprising: an authentication proxy which 
receives requests to authenticate a UserlD and credential string; (Par. [0030], lines 1-3, "a method of 
authenticating a form submitted by the user of a computer network of FIG. 1 will now be described with 
reference to FIG. 5"). 
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- and a credential string validation component which receives requests to validate the 
credential string; (Par. [0030], lines 13-14, ("at 66, the fields and the values entered on the form are 
authenticated"). 

- wherein the credential string validation component checks whether the credential string 
has been previously received for validation within a predetermined time period (rejection of claim 6 
is applied to similar limitation). 

14. As per claim 19. 

This claim recites similar limitation similar to that of claim 6, thus it is rejected with the same 
rationale applied against claim 6 above. 

15. As per claim 20 , Wenisch discloses, 

- a portal to create and encrypt the credential string by hashing a session ID, the portal 
sends the credential string and the UserlD to the software application proxy, and does not send a 
password associated with the UserlD (Par. [0028], lines 1-10, "a program, using code such as 
JavaScript, can be used to transmit data from the form to the web server when the user fills out and 
submits the form to the web server. The program can collect the name and contents of each field in the 
form and the session number provided for this form request and pass this data to the hidden security 
applet which still is in memory in the hidden frame. The security applet then creates authentication data 
30 including a hash code of the session ID, sequence number, plaintext user password, and all fields and 
values on the web form"). 

16. As per claim 22 . rejection of claim 1 is incorporated and Wenisch further discloses, 

A computer program product comprising a computer usable medium having readable 
program code embodied in the medium (Par. [0006], lines 1-5, "in yet another embodiment of the 
invention, an article of manufacture is provided that includes a computer readable medium having 
computer readable program code for authenticating a user of a client computer over a computer 
network"). 



Application/Control Number: 1 0/791 ,322 Page 6 

Art Unit: 2109 

Claim Rejections - 35 USC § 103 

1 7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 

rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



Claims 4, 7, 9-14, 16-18 and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Wenisch (US Pub No.: 2003/0033545 A1) as applied to the claims above, and further in view of Shrader 
et al. (US Pat No.: 6,374,359 B1), referred as "Shrader* hereinafter. 

18. As per claim 4 . Wenisch does not explicitly disclose, 

- performing a lightweight directory access protocol (LDAP) lookup using the UserlD; 

- and if the LDAP lookup confirms the UserlD and the response validates the credential 
string, returning a successful authentication reply to the software application for establishing a 
session associated with the session ID, otherwise sending an unsuccessful authentication reply 
to the software application 

However, in the same filed of endeavor, Shrader discloses the above limitation as, (see FIG. 2 
and column 2, lines 65-67, "the given server application, in one embodiment, is a Lightweight Directory 
Access Protocol (LDAP) GUI interface"); and 

(See FIG. 3 and column 5, lines 50-60, "at step 56, the LDAP GUI Web server CGIs check to see 
if the user name and password are valid. This is accomplished, for example, by calling the appropriate 
LDAP API to determine whether the user seeking to log in exists in the directory. If the outcome of the 
test at step 56 indicates that the user name and password are not valid, the GGIs issue a user name and 
password error message at step 58 and control returns to step 52. If, however, the outcome of the test at 
step 56 indicates that the username and password are valid, the routine continues at step 60 "). 

Therefore, it would have been obvious to one of having ordinary skill in the art, at the time the 
invention was made, to combine the teachings of Shrader into the method of Wenisch, because one of 
ordinary skill in the art would want to secure access to a LDAP authentication interface running on a Web 
server (see Shrader FIG. 3). 
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19. As per claim 7 , claim 6 is incorporated and Wenisch further discloses, 

- wherein the security breach procedure causes the termination of any session associated 
with the UserlD (Par. [0025], lines 1-3 and 9-10, "the authentication provider 16 then creates a response 
for the web server 14 by hashing the decrypted credentials and a secret string") and ("if the hash code 26 
is correct, then the web server 14 grants the user access to the web site"). Thus, implying that termination 
would occur if the hash code 26 were incorrect. 

20. As per claim 9 and 10 . Wenisch discloses, 

Method for authenticating a user request for a software application, the method 
comprising: receiving a UserlD and credential string at an authentication proxy server; (Par. 
[0007], lines 2-5, the authentication provider can be an authentication server or can be a software 
program installed on the computer in communication with the computer network"). 

- sending a confirmation request from the authentication proxy to a portal, the 
confirmation request includes the credential string; and receiving a response at the authentication 
proxy for the confirmation request; (see rejection of claim 1 above, as applied to this limitation). 

- and validating the UserlD (Par. [0030], lines 13-14, ("at 66, the fields and the values entered 
on the form are authenticated"). 

Wenisch does not explicitly disclose, 

- using a light weight directory access protocol (LDAP) lookup request and the response 

However, Shrader discloses the above limitation as, (column 4, lines 10-18, "as is well-known, the 
Web server accepts a client request and returns a response. The communication between the browser 
and the server is conducted using HTTP protocol. According to the present invention, it is assumed that 
the Web server supports a server application to which the user (at the client) desires access. By way of 
example only, the server application is an administration interface, such as the Lightweight Directory 
Access Protocol (LDAP) GUI CGI interface"). 

Therefore, it would have been obvious to one of having ordinary skill in the art, at the time the 
invention was made, to combine the teachings of Shrader into the method of Wenisch, because one of 
ordinary skill in the art would want to validate user's request to access a Web server (see Shrader column 
4, lines 27-34). 
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21. As per claim 1 1 and 14 . Wenisch discloses, 

- receiving the UserlD and a password during a logon to the portal, wherein the UserlD is 
validated in the validating step and the password is maintained at the portal and used to process 
the confirmation request; and creating the credential string from a session ID at the portal (Par. 
[0020], line 4 to Par. [0021], line 3, " when the user transmits the login form to the web server by clicking a 
login button or some other means, the security applet 18 in the hidden frame retrieves the user name and 
password from the login form, and creates a login packet to be sent to the web server. The login packet 
20 can, but not necessarily, contain the challenge string, such as the session ID provided by the server"). 

22. As per claim 12 . Wenisch discloses, 

- encrypting the credential string (Par. [0004], lines 3-7, "the method includes transmitting an 
applet having a designation, such as a challenge string, and a first encryption key, receiving a login 
packet having the challenge string and a password that is encrypted using the first encryption key"). 

23. As per claim 13 . Wenisch does not explicitly disclose, 

- validating the confirmation request by assuring the credential has been received only 
once for confirmation at the portal, otherwise, if presented more than once, performing at least 
one of initiating a security breach procedure and notifying a software application proxy (Par. 
[001 3], "it is still another object of this invention to ensure that a first user logs off from a web server 
completely so that a subsequent user cannot use the first user's userid and password to access protected 
documents or services"). 

24. As per claim 16 and 17. 

These claims recite similar limitations to that of claim 4, thus rejected with the same rationale 
applied against claim 4 above. 

25. As per claim 18 . Wenisch discloses, 

- wherein the authentication proxy receives the UserlD and credential string from a 
software application i (rejection of claim 1 above is applied to this limitation). 
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26. As per claim 21 . Wenisch discloses, 

- a portal for accepting a logon by a user and for creating the credential string from an 
associated session ID; (rejection of claim 20 above is applied to this limitation). 

Wenisch does not explicitly disclose, 

- a lightweight directory access protocol (LDAP) directory for authenticating UserlDs and 
which is accessible by the authentication proxy; 

However, Shrader discloses the above limitation as, (column 4, lines 27-32, "before using the 
functionality provided by the LDAP GUI from their Web browsers, users or administrators need to enter 
their LDAP user name (or distinguished name) and password on a login panel. These values are sent to 
the Web server and validated by the LDAP GUI CGIs"). 

- and a software application proxy for intercepting the UserlD and credential string sent by 
the portal for monitoring duplicate occurrences of the UserlD and credential string ( see rejection 
of claim 13, as applied to this limitation) 

Therefore, it would have been obvious to one of having ordinary skill in the art, at the time the 
invention was made, to combine the teachings of Shrader into the method of Wenisch, because one of 
ordinary skill in the art would want the LDAP interface authenticate the user for administrative or directory 
tasks (see Shrader column 4, lines 45-51). 

27. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
(See PTO-892) 

28. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Amare F. Tabor whose telephone number is (571) 270-3155. The examiner can normally 
be reached on Mon-Fri 7:30a.m. to 5:00p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Chameli Das can be reached on (571) 270-1392. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
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1000. 
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